05000269/LER-2017-001

On June 16, 2017, during implementation of a modification to Keowee Hydroelectric Station Governor Actuator Cabinets 1 and 2, breakers were inadvertently repositioned in each of the governor control system for Keowee Hydroelectric Units 1 and 2 (KHU1 and KHU2), rendering both units inoperable. The condition was discovered following an unsuccessful start of KHU2 for commercial operation. The KHUs are the onsite emergency power source for the Oconee Nuclear Station.
It was concluded that this constituted a loss of safety function from the time when both KHUs were inoperable until the dedicated offsite power source was aligned to the emergency busses; a period of approximately 7 hours

Technical Specifications (TS) were followed based on time of discovery; however, a subsequent review of computer logs provided firm evidence that both KHUs were inoperable for longer than allowed by TSs based on "past inoperability," requiring this event to be reported pursuant to 10 CFR 50.73(a)(2)(i)(B) as a condition prohibited by the plant's Technical Specifications.

The direct cause of this event was attributed to the reposition due to inadvertent contact of two 24 VDC breakers. The risk impact of this event was determined to be insignificant and corrective actions are planned to prevent recurrence.

Contents

BACKGROUND

At Oconee Nuclear Station (ONS), the Keowee Hydroelectric Station (KHS) [EIIS:EK] serves the emergency power function typically performed by diesel generators [EIIS: DG] at other nuclear facilities.

The KHS consists of two (2) hydroelectric turbine/generator units (KHUs) and associated support equipment and auxiliaries. Each KHU is provided with its own automatic start equipment and both KHUs undergo simultaneous automatic emergency starts during an emergency. Either KHU may be aligned to either of two emergency power paths, with the underground path being preferred if only one KHU is available. In addition to Keowee, a 100 kV transmission line from a nearby plant with dedicated combustion turbines [EllS: TUR] can provide power to the Stand-by Buss (the emergency buss that supplies emergency loads on all three Oconee units).

Governor [EIIS: 65] Actuator Cabinets [EIIS: CAB] GAC1 and GAC2 contain control circuitry and components for KHU1 and KHU2 respectively, including breakers [EIIS: 52] K1 GCS BK0001 and K2 GCS BK0001 as part of the Governor Control System for KHU1 and KHU2 respectively. These breakers are small, 'plug in' type, 10 amp breakers with the actuating power switches [EIIS: JS] protruding into an open space inside their respective cabinets. These breakers provide 24 VDC to a distributing valve [EIIS: V] assembly and shutdown solenoid valve [EIIS: SV] which are both required to actuate for Keowee to start. The shutdown solenoid is a fail-safe valve that requires energization to open during turbine operation. Without power, the solenoid valve closes.

EVENT DESCRIPTION

On June 16, 2017, at approximately 0740 hours

0.00856 days 0.206 hours 0.00122 weeks 2.8157e-4 months

, workers were implementing a modification to Governor Actuator Cabinets 1 and 2 located within the Keowee Hydroelectric Station. The investigation showed that at approximately 0907 hours

0.0105 days 0.252 hours 0.0015 weeks 3.451135e-4 months

, Operator Aid Computer (OAC) alarm [EllS: ALM] indications for K1 GCS BK0001 breaker for KHU1 Channel A and B Governor Critical Alarm were received on the OAC alarm screens located in the Keowee Control Room (KCR). These alarms were not observed by the Keowee operator since he was still on rounds and not in the KCR. Normally, when a Governor Critical Alarm is received, Stat-Alarms in both the Keowee and Oconee Unit 2 Control Rooms are generated. Additionally, a governor critical alarm condition triggers an emergency lock-out of the unit, which would also normally generate Stat-Alarms. However, in this-instance, no Stat-Alarms were generated and no emergency lock-out condition was triggered due to the failure mode design of the repositioned breaker defeating the signal sent to the Stat-Alarms. Had a Stat-Alarm been received, the protocol of Stat-Alarm management would have been followed by the Oconee Unit 2 Control Room, the Oconee Unit 2 Senior Reactor Operator and the Keowee Control operators, potentially reducing the probability for this single incident to have escalated further. At 1020 hours

0.0118 days 0.283 hours 0.00169 weeks 3.8811e-4 months

, similar OAC alarm indications were received in the KCR associated with the KHU2 K2 GCS BK0001 breaker.

At 1321 hours

0.0153 days 0.367 hours 0.00218 weeks 5.026405e-4 months

, while attempting to start KHU2 for commercial generation, an "incomplete start" alarm was received in the KCR. Investigation into the matter subsequently revealed that the two (2) repositioned breakers were open and both KHUs were non-functional. Each KHU was declared inoperable at 1635 hours

0.0189 days 0.454 hours 0.0027 weeks 6.221175e-4 months

.

In Mode 1, KHU operability is required by TS 3.8.1, "AC Sources - Operating," and TS 3.7.10, "Protected Service Water." The appropriate TS conditions were entered and the Required Actions completed within the allowed Completion Times. As required by TS Limiting Condition for Operation (LCO) 3.8.1, Condition I, due to the loss of both KHUs, Standby Buses were energized from a 1 dedicated Lee Combustion Turbine and an isolated power path at 1715 hours

0.0198 days 0.476 hours 0.00284 weeks 6.525575e-4 months

. An NRC Emergency Notification System (ENS) call was made at 0032 hours

3.703704e-4 days 0.00889 hours 5.291005e-5 weeks 1.2176e-5 months

on June 17, 2017, pursuant to 10 CFR 50.72(b)(3)(v)(A-D), reporting the event as a loss of safety function (Ref.: EN 52812). The reporting premise for the loss of safety function was that there was a 40 minute period, between when both KHUs were declared inoperable and when the LCTs energized the standby busses, when the station was without its normal onsite emergency power sources.
Subsequent troubleshooting efforts concluded that the two KHU1 and 2 breakers were mechanically and electronically sound and operating properly, but due to work activities being performed in the vicinity of these breakers, had probably been inadvertently repositioned. Both breakers were returned to the closed position and a KHU1 functional run was conducted. KHU1 was declared operable at 2150 hours

0.0249 days 0.597 hours 0.00355 weeks 8.18075e-4 months

. A KHU2 functional test run was then performed, the unit declared operable at 2351 hours

0.0272 days 0.653 hours 0.00389 weeks 8.945555e-4 months

, and the associated TS Conditions related to this event were exited.
Based on a review of OAC data, it was subsequently determined that a loss of safety function existed between 1020 hours

0.0118 days 0.283 hours 0.00169 weeks 3.8811e-4 months

(the time when both KHUs were rendered inoperable due to the inadvertent breaker repositioning) and 1715 hours

0.0198 days 0.476 hours 0.00284 weeks 6.525575e-4 months

(when the offsite Lee Combustion Turbines were aligned to the standby busses); a period of —7 hours. A loss of safety function is reportable pursuant to 10 CFR 50.73(a)(2)(v)(A-D) as "Any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are need to: (A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident.
From the time KHU inoperability was initially declared at 1635 hours

0.0189 days 0.454 hours 0.0027 weeks 6.221175e-4 months

on June 16, 2017, TS LCOs 3.8.1 and 3.7.10 were appropriately entered and the Required Actions completed within the stated Completion Times. However, a review of OAC data revealed that the first KHU was actually inoperable on June 16, 2017, beginning at 0907 hours

0.0105 days 0.252 hours 0.0015 weeks 3.451135e-4 months

and as such, the 1-hour TS LCO 3.8.1 Required Action Completion Time (per Required Action C.1) was not satisfied. Consequently, this event is also reportable pursuant to 10 CFR 50.73(a)(2)(i)(B) as a condition prohibited by the plant's Technical Specifications.

CAUSAL FACTORS

The direct cause of this event is attributed to the two (2) 24 VDC breakers K1 GCS BK0001 and K2 GCS BK0001, being out of position and rendering both KHUs inoperable due to human error.

CORRECTIVE ACTIONS

1. Completed Verified governor control system integrity on both units which allowed restoration of KHU operability in accordance with TS LCO 3.8.1.

b. Enhance protective measures (e.g., physical / passive / extra signage) requirements for the GCS panels as well as other KHU repositionable components that may be susceptible to a similar event.

c. Improve Work Management controls to address (1) the potential consequences of working on both KHUs at the same time and (2) limiting work on a KHU that is in service.

The planned corrective actions indicated above are NOT considered NRC Commitment items.

SAFETY ANALYSIS

A probabilistic risk assessment (PRA) evaluation was conducted for the period of KHU inoperability to determine the significance of this event. It was determined through a quantitative analysis that the event had a negligible effect on the delta Core Damage Frequency (CDF) and delta Large Early Release Fraction (LERF), resulting in an insignificant impact on the health and safety of the public. This was largely due to the sustained availability of the Lee Combustion Turbine and the Standby Shutdown Facility as well as the Protected Service Water system in a.Loss of Offsite Power situation. These additional options for preventing core damage further reduce the impact of the event on CDF and LERF.

Another major driver in the negligible risk impact was the historical lack of any threat of severe weather over the duration of the KHU unavailability. When KHU failures show up in the risk model as being significant, it is almost exclusively paired with an occurrence of a Loss of Offsite Power due to severe weather. When severe weather is not expected and does not occur, the importance of the KHUs in the risk model drops significantly. Finally, the short time frame the condition existed results in an insignificant risk impact.

ADDITIONAL INFORMATION

startup transformer which created a temporary loss of the power paths required by TS 3.8.1 and was reported under 10 CFR 50.73(a)(2)(v)(A-D) as a condition that could have prevented.the fulfillment of a safety function.

2. LER 287/2016-001 Revision 0: Described the discovery of a Unit 3 inoperable reactor building cooling unit in which had existed longer than the time allowed by the Technical Specifications and reported per 10 CFR 50.73(a)(2)(i)(B). It was also revealed that Unit 3 had entered the mode of applicability which with the inoperable cooling unit which is prohibited by TS 3.0.4.

3. LER 269-2016-002 Revision 0: Described the discovery of inoperable containment high range radiation monitors due to the potential effects of thermally induced currents during a HELB event in a containment penetration room. It was concluded that the inoperable condition had existed longer than the time allow by the Technical Specification and was reported under 10 CFR 50.73(a)(2)(i)(B).

A review of the aforementioned LERs did not point toward a similar cause or corrective actions that could have prevented this event.

Energy Industry Identification System (EIIS) codes are identified in the text as [XX].

This event is considered INPO Consolidated Events System (ICES) Reportable rather than EPIX reportable (refer to LER line 13 on page 1). There were no releases of radioactive materials, radiation exposures in excess of limits or personnel injuries associated with this event.

LER-2017-001, Loss of Both Keowee Hydroelectric Units Due to Human Error